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Abstract 

Recently, a chaos-based image encryption algorithm using alternate structure (lEAS) was proposed. 
This paper focuses on differential cryptanalysis of the algorithm and finds that some properties of 
lEAS can support a differential attack to recover equivalent secret key with a little small number of 
known plain-images. Detailed approaches of the cryptanalysis for cryptanalyzing lEAS of the lower 
round number are presented and the breaking method can be extended to the case of higher round 
number. Both theoretical analysis and experiment results are provided to support vulnerability 
of lEAS against differential attack. In addition, some other security defects of lEAS, including 
insensitivity with respect to changes of plain-images and insufficient size of key space, are also 
reported. 
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'nI" [ 1. Introduction 

<N 

Security of multimedia data including image and video become more and more important as 
transmission of multimedia data occurs more and more frequently in the current digital world. 
However, the big differences between multimedia data and text, such as bulk size of multimedia 
data and strong redundancy existing in neighboring elements of its uncompressed version, make 
^ ■ the traditional text encryption algorithms like DES (Data Encryption Standard) can not protect 
multimedia data efficiently. In addition, multimedia encryption has other special requirements, like 
fast encryption speed and easy cascade with the whole system. So, designing specific multimedia 
encryption algorithm become an urgent task. Meanwhile, chaos theory was developed in depth 
in the 1960s. The most famous character of chaos is so-called "butterfly effect", i.e., states of a 
chaos system are very sensitive to changes of its initial conditions and control parameters. This 
character is very similar to the confusion and diffusion property of a cryptosystem measuring 
sensitivity of encryption results with respect to change of the secret key and the plaintext. The 
subtle similarity inspired researchers design secure multimedia encryption algorithms by combing 
chaos and cryptography. 



* Corresponding author. 
Email address: chengqingg@gmail . com (Chengqing Li) 



Preprint submitted to Elsevier December 22, 2011 



Due to simple syntax of uncompress image and easy extension of image encryption scheme to 
other multimedia data, most chaos-based multimedia encryption scheme consider image data as 
encryption object. In the past decade, hundreds of chaos-based image encryption schemes have 
been proposed [l|, Ql- In general, the usage of chaos in designing image encryption schemes can be 
categorized as the following three classes: 

• creating position permutation matrices [l|, 0, 0) 0] ; 

• generating pseudo-random bit sequence, which is then used to control combination and com- 
position of some basic arithmetical operations like modulo addition and exclusive or operation 

UMMMMMMM- 



producing ciphertext directly when plain-bytes of image are converted to initial condition 



-by 

and control parameters of a chaotic map 13|, llj] . 



Some general rules about evaluating security of chaos-based encryption algorithms can be found 
in [ij. 

In 161 , a new image encryption algorithm using alternate structure (lEAS) based on the general 
cat-map and OCML (One-way Coupled Map Lattice) was proposed, where the two maps are 
used for realizing position permutation/diffusion and value substitution respectively. Essentially, 
structure of lEAS belongs to Feistel networks, i.e., an iterated block cipher where the output 
of the current round is determined by that of the previous one. This paper focuses on security 
analysis of IE AS and founds that some properties of IE AS, existing when its integer parameter is 
even, can be used to support a differential attack to recover equivalent secret key of lEAS with 
a little number of known/chosen plain-images. The detailed approaches of the differential attack 
are presented in detail when the round number of lEAS is less than or equal to four. In addition, 
the cryptanalysis also find some other security defects of lEAS, like insensitivity with respect to 
changes of plain-images and insufficiently large key space. 

The rest of this paper is organized as follows. The next section introduces the image encryption 
algorithm under study, IE AS, briefly. Section 3 present the comprehensive cryptanalysis on the 
algorithm with some experiment results. The last section concludes the paper. 

2. IE AS encryption algorithm 

The plain-image encrypted by lEAS encryption algorithm is a gray-scale image of size N x 2N 
(height X width) , which can be denoted by an A'^ x 2N matrix in domain Z256. The encryp- 
tion algorithm divides the plain-image into two parts of the same size: L = [-Z^(^, i)]^o i=o~^ 
and R = [R{h j)]iLo^j=o^ ■ The corresponding cipher-image is composed of two parts also: I = 
[^(^1 i)]il:0 i=o~^ ^^'^ ^ ~ ['^(^' j)]il:0 j=o~^- With these notations, lEAS encryption algorithm can be 
described as followfS. 

• The secret key: the number of iteration round T and the initial condition Kq € (0, 1) of the 
chaotic Logistic map 

f(x) = fl ■ X ■ {1 — x). 



^To make the presentation more concise and complete, some notations in the original paper [ly] are modified, and 
some details about the algorithm are also supplied or corrected under precondition that its security is not influenced. 
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The initialization procedures: 

1) run the Logistic map iteratively with fixed control parameter, = 4, T + 2 times from Kq 
to generate a chaotic sequence {xi}JJ'J. Then, a 32-bit integer sequence {Ki}JJ'q is obtained 
from {xi}JJ'q as 

2) permute and expand the 32 binary bits of each element of {Ki}J^^ by the look-up table 
shown in Tableland get a 50-bit integer sequence {Ki}'[J'J. 



Table 1: The Expansion Permutation Table. 
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3) generate T permutation matrixes Pq ~ -Pr-i, whose every entry represents its sole location 
in the permuted version of the object to be permuted, as follows. For ^ = ~ T — 1, 
i = ~ - 1, j = ~ iV - 1, do 

PiiiJ) = Ci-(^^ mod N, (1) 

where C/ is the t-th element in the matrix set 

1 a \ fab+1 a\ f a l\ f a ab - l\) , . 

b ab+l)\ b l)\ab-l b)\l b yj' 

^ — 2-jk=Q^^l,k ^ ^ — l^k=0'^l,k+2 ^ J " — 2-jk=0^l,k+10 ^ ^ — 2-jk=0^l,k ^ ■ 

4) produce T -|- 2 mask matrixes, Vq ^ Vy+i, of size N x N with the following two steps. 

— Utilize an OCML model to generate T + 2 pseudo-random number matrixes of size 
iV X iV, Wo ~ Wt+i- For i = ~ TV - 1, j = ~ iV - 1, do 

Wi{i,j) = (1 - e) • f{Wi{i,j - 1)) + e • f{Wi{i - l,j - 1)), 

where e = 0.875, and the boundary conditions, Wi{—1,—1) ^ W/(— l,iV — 1) and 
W/(0, —1) ~ Wi{N — 2, —1), are assigned by the chaotic states obtained by iterating 
the Logistic map 2N times from initial condition {Ylh=o ^"^i k+i8 ' 2^^)72^^. 

— Discretize Wq ~ Wr+i into Vq ^ V^+i- For i = 0~A^ — 1, j = 0'--'A^ — 1, do 

Vi{i,j) = [Wi{i,j) -256]. 

The encryption procedure is composed of T rounds of five main steps. Let Li and Ri denote 
the left half part and the right half part of intermediate data obtained in the /-th round of 
encryption, respectively. The schematic structure of lEAS is shown in Fig. [TJ Set / = 0, 
Li = L and Ri = R, TEAS runs with the following five steps repeatedly. 




— Step (a) mask substitution on the left half part in the current round: let / = / + 1, and 
do 

Ri{i,j) = Vi^i{i,j)eLi^i{i,j) (3) 

for i = ~ iV - 1, j = ~ - 1. 

— Step (h) permutation on the right half part in the next round: for i = ~ — 1, 
j = ~ iV - 1, do 

Ri{i,j)=Ri{Pi^i{i,3)). 
For simplicity, Ri{Pi-i) denotes this operation in remainder of this paper. 

— Step (c) substitution on the permuted right part: for = 1 ~ A^^ — 1, do 

Li{i,j)=Ri_i{i,j)®g{Ri{i,j),Ri{i',j')) , (4) 

where L,(0,0) = i?,_i(0,0) -R;(0,0), i = lk/N\, j = mod{k,N), i! = \k - 1/iVj, 
/ = mod(A; — 1, A^), and 

g(x, y) = (x + A * y) mod 256. (5) 

— Step (d) repetition: repeat Step (a) through Step (c) T — 1 times. 

— Step (e) final mask substitution: generate the two half parts of cipher-image as follows: 
do 

r = Vt®Lt (6) 

and 

I = Vt+1 e Rt, (7) 

where the exclusive or operation between two matrixes is calculated element-wise, the 
same hereinafter. 

The decryption procedure is similar to the encryption process except the following simple 
modifications: 1) the Step (e) \s performed first; 2) the different rounds of encryption are 
exerted in a reverse order. 



3. Differential cryptanalysis 

Task of differential cryptanalysis is to get information of (equivalent) secret key of an encryption 
algorithm by observing how differences in an input can affect the resultant ones at the output. 
Generally, the difference is defined with respect to exclusive or (XOR) operation. In the following, 
some properties of lEAS are introduced first, which works as basis for differential attack on lEAS 
under different round numbers. 
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Figure 1: Schematic structure of TEAS. 



3.1. Some properties of lEAS 

Property 1. Given two matrix entries (ii, ji) and {i2,j2) in Ri, o,nd let (ii, Ji) and {i2,j2) denote 
the corresponding locations in Ri . If the two original entries satisfy 

gcd(A,iV) = l, (8) 

one has 

- (: :) ■ 

where 
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mod A^, 



A = iij2 — i2ji, o-nd A • A -"^ = 1 mod A^. 
Proof. Obviously, (ii,ii), (22,^2), (n,ii), and (^2,72) satisfy 

Ail + njA ^^^^ ^ ^ HA 

\Sl2 + Uj2j \l2j 
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which means 

^ii ji\ fs\ _ (h+ KiN 



12 j2j \uj \i2+K2N 

where Ki,K2 G 

Use the Gaussian ehmination method, one can get 

h ji \.(^\^(^ + 
ni2 - i2jij \uj \i1i2 - i2k + N{K2h - Kii2) 

According to the Cramer's rule, the above equation have one and only one solution when gcd(A, N) = 
1. Thus, 

s = A~^{iij2 - i2ji) mod N, 
u = /S~^{i2ii — 11^2) mod N. 

The value of f , t can be obtained similarly. □ 

Property 2. 7/2" (1 < n < 7) divides variable A in Eq. then the substitution function g{x,y) 
has no influence on the n least significant bits of x, i.e., Eq. ^ becomes 

Li,k{i,j) = Ri-i,k{i,j) © Ri,k{i,j), 

where A; € {1, • • • ,n}, Li^k, Ri-i,k o,nd Ri^k are the k-th least significant bit plane of Li, Ri-i^ and 
Ri, respectively. 

Proof. This property can be easily proved by calculating 

7 



g(x, y) = X + A - ^ 2/j2* mod 256 

1=0 

7 

= x + {A/2'') ■ yi2' mod 256. 



□ 



Let L'l, Ri{Pi_i) and R'i_i denote differential of two versions of Li, Ri{Pi^i) and Ri-i, re- 
spectively. Observe the structure of intermediate data under different rounds shown in Fig. [21 we 
can get the following property. 

Property 3. 7/2" (1 < n < 7) divides variable A in Eq. one has 

\ R'l = L'i_i, 

\ L'l^k = ^i-i,k ® -RU(^'-i)' 

where k E {1, • ■ ■ ,n}, L'^ R'i_^ and R[^.{Pi^i) are the k-th least significant bit plane of L'^, 
R'i_i and i?J(P;„i), respectively. 
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Proof. This property can be easily proved with mathematical induction on Z (1 < / < T). When 

1 = 1, 

R'i = Ri © -R* 

= (Lo © Vo) © m © Vo) 

L[^, = (fio,fc © RiMPo)) e {Rlk ® Rlkim 

= i?o,fc © R'l^kiPo)- 

So, the property holds for Z = 1. Assume that the property is true for I = n {n < T), we prove the 
case for I = n + 1. 

= (L„ © K) © (K © K) 

_ r' 

— ^n^ 

Ln+l,k = {Rn,k ® Rn+l,k{Pn)) © (-Rn,fc © -Rn+l,fc(-Pn)) 
= P-n.k © -^n+l,fc(-fn)- 

This completes the mathematical induction. □ 




Differential of cipher-image 



Figure 2; Schematic structure of differential of intermediate data under different rounds. 
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3.2. Breaking lEAS when the number of iteration round is equal to one 

Given two known/chosen plain-images, [Lo,Ro] and [Lq,Rq], and the corresponding cipher- 
images, [l,r] and [r,r*], one has 

( L'q = Lo@ LI, 

1 -Rn = R(\ ® Rn 

and 




From Property El one can get 

{"^1 ~ "^0' ^g^ 
R^i,k{Pfi) = L'l^k ® Ro,k^ 

where k € {1, • • • 2" (1 < n < 7) divides the parameter A in Eq. ([5]). Comparing {R'^ k}k=i 
and {R[ fc(-Po)}fc=i) one may find two pairs of entries in R'^ and R'i{Po) whose locations satisfying 
condition ([5]). Then, the transformation matrix Cq, generating the associated permutation matrix 
Pq, can be solved according to Property[TJ In case the search of the required entries failed, one can 
resort to observing more known plain-images or constructing special differential images from more 
chosen plain-images [H]- As shown in [21og2(iV)] chosen binary plain- images are enough to 
break any position permutation-only encryption algorithm exerting on binary plain-images of size 
N X N. Due to similarity, we do not mention the problem about determining permutation matrix 
with more known/chosen plain-images in the remainder of this paper. Once Co is determined, the 
associated matrix Pq can be obtained from it easily. 
Referring to Eq. ^ and Eq. ([7]), one can get 

V2®Vo = Lo(Bl. (10) 

Combining Eq. ([6]) and Eq. ^ yields 

rk = Vi^k®Ro,k®Ri,k{Ro), (11) 

where is the k-th least significant bit plane of r. As the exclusive or operation is linear with 
respect to position permutation, one can get 

Ri,k{Po) = Vo^kiPo) © Lo^Po) 

from Eq. Substitute Ri^k{Po) obtained in the above equation into Eq. (jll|) . one can further 
get 

^i,fc © Vo,k{Po) = r-fc © Ro,k © Lo^kiPo)- (12) 

Since neither of Eq. pO|) and Eq. (|12p has any special requirement on the pair of plain-image 
and corresponding cipher-image, some parts of any other cipher-image encrypted with the same 
secret key, [Z*,r*], can be recovered by calculating 

f L*o = l*(BMi, 

1i?S,fe = r^©iS,fc(-Po)ffiM,fc, 



where 

Ml =Lo®l, 

Now, one can see that Mi, {A7"i^^}^^-|^ and Pq can work together to recover the whole left half part 
of I*, and the n least significant bit planes of the right part of r*, {R^ k}k=i- 

To verify the above analysis, some experiments on some plain-images of size 256 x 512 are made. 
With secret key Kq = 1234567/(2^^ — 1), T = 1 and parameter A = 64, two known plain-images, 
cropped version of two standard images, "Lenna" and "Baboon", and the corresponding cipher- 
images are shown in Figs. [3^), b), d), e), respectively. The obtained information about the secret 
key is used to decrypt another cipher-image shown in Fig. [S]:) , and result is shown in Fig. [3]F) . The 
whole left half part and the 6 least significant bit planes of the right half part of the recovered 
image shown in Fig. [3]F) are identical with counterpart of the corresponding plain-image, which 
agree with the expected result well. 




Figure 3: Differential attack on lEAS when T = 1: a) the first known plain- image; b) the second known plain-image; 
c) cipher-image of plain-image "Airplane"; d) cipher-image of Fig. [3^); e) cipher- image of Fig. [31d); f) the recovered 
plain-image of Fig. |3J;). 



3.3. Breaking lEAS when the number of iteration round is equal to two 
In this case, the differential of ciphertext is 

f L'o = r®r\ 



? ' ^ ' ' (13) 
R'2 = l®l*. 



From Property 3, one has 

J R'l = L'q, 

[ -Ri,fc(-Po) = R2,k ® Ro,k^ 

where R'2 ^ is the A:-th least significant bit plane of -R2- Then, the transformation matrix Cq, 
generating the associated permutation matrix Pq, can be recovered by comparing {R\ f^})^^i and 

{R'i,k(.Po)}l=i- 

Still from Property [3l one has 
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Similarly, one can get the transform matrix Ci, then permutation matrix Pi, by comparing 
{^2,JLi and {R',^,iP,)r,^,. 
Referring to Eq. d?]), one has 

lk = V3,k(BR2,k, (14) 
where is the fe-th least significant bit plane of I. Combining Eq. ([3|), Eq. (jH) and Eq. ^ yields 

rk = V2,k © L2,k 

= V2,k (B Ri,k (B R2,kiPi) 

= V2,k © © ^0,fc © -R2,fc(-Pl)- 

Substitute R2^k obtained in Eq. (fTi|) into the above equation, one has 

V^^kiPi) © V2,fc © Fo.fc = lk{Pi) © r-fc © Zo,fc- (15) 
Combine Eq. ([3]) and Property 2, one can get 

R2,k = yi,k © Li^k 

= Vi^k®B^,k®Ri,k{Po) 

= Vi^k © -Ro.fc © H,fc(-Po) © i^o,fc(A), (16) 



F3,fc © © H,fc(-Po) = ^fc © i^o,fc(A) © fio,fc- (17) 



then Eq. <\1A^ becomes 



Since both Eq. ()15p and Eq. (jl7p always hold for any pair of plain-image and cipher-image 
encrypted with the same secret key, it can be easily verified that 

{Llf, = ll{Pi)®rl®M2,k, 
[Rl, = lt®Ll,{Po)®N2,k, 

where 

f M2,k = lkiPi)®rk®Lo^k, 
\ N2,k = lk® Lo,k{Po) © Ro,k- 

The above equations mean that M2,kj ^2,k a-nd {-P/}/=q can work together to recover the k-th least 
significant bit plane of any other cipher-image encrypted with the same secret key, [L^ ^, R^ for 
/c = 1 ~ n. 

To verify the above analysis, some experiments are made. With secret key Kq = 1234567/(2^^ — 
1), T = 2 and parameter A = 64, encryption results of the two known-images shown in Figs. [3^) 
and b) are shown in Figs. S^) and b), respectively. The information about equivalent secret key 
obtained from the two pairs of plain-images and cipher-images is used decrypt another cipher-image 
shown in Fig. and the result is shown in Fig. IHl). It is counted that the 6 least significant 
bit planes of the image shown in Fig. UJi) are identical with the counterparts of the corresponding 
plain-image. 
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d) 



Figure 4: DifTerential attack on lEAS when T — 2: a) cipher- image of Fig. b) cipher-image of Fig. E]d); c) 
cipher-image of plain-image "Airplane"; d) the recovered plain- image of Fig. 3]:). 

3.4- Breaking IE AS when the round number is equal to three 

In this sub-section we discuss how to break the version of lEAS of three rounds with no less 
than three chosen plain-images. 

In this case, the differential of ciphertext is 



i?3^(P2) can be obtained from Eq. ()18p . With the same method mentioned above, P2 can be 




According to Property [3l one has 



^3,k - P^3,k{P'2) © -R2,fc 



(18) 



If L'q ^ is chosen as a binary matrix of fixed value, which makes 




(19) 




(20) 



Note that 
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Substitute Eq. ([2D|) into the above equation, one can get 

= -Ro,fc(-Pi)- 

Then, R'^ ^(-Pi) can be obtained from the above equation, and -Pi can be recovered by comparing 

and 

Once P2 is recovered, Lq^(Po) can be obtained from Eq. (fT8|) . Then, Pq can be recovered 
by comparing {L'^f,}"^^^ and {Xq ^(Po)}fc=i- As mentioned before, one and even more pairs of 
plaintext and the corresponding ciphertexts are required to find two pairs of entries in L'q ^ and 
Lq^(Po) whose locations satisfying condition ([8]). 

From Eq. ([7]), one has 

lk = VA,k®Ri,k^ (21) 

where R^^k is the k-ih. least significant bit plane of R^. Combine Eq. ([3|), Eq. and Eq. ([6]), one 

can get 

Tk = VJj^fe e L3,fc 

= v^^k e e e i^3,fc(P2) 

= v^3,fc e e Po,fc e i?i,fc(Po) e P3,fc(P2) 

= v^^k e e i?o,fe e Vo,fc(Po) e i^o.^lA) e RsM^^)- 

Substitute Ra^k obtained in Eq. ([2T]) into the above equation and get 

V4,k{P2) © F3,fc © © Vo,k{Po) = lk{P2) © T-fc © Po,fc © i^o,fc(A). (22) 
Referring to Eq. ([3]) and Eq. (fT6]l . one has 

R2,,k = ^2,fc © L2^k 

= V2,k®Rl,k®R2{Pl) 

= V2,k © Fo,fc © Lo,fc © Vi,fc(Pi) © Po,fc(J'i) © M),fc(P'oi'i) © Lo,k{PoPi), (23) 
then Eq. (j2ip can be rewritten as 

/fe = V4,fc © Fs.fc © Vo,fc © -Lo,fc © Vi,fe(Pi) © Ro,k{Pl) © Vo,fc(PoPl) © Zo,fc(Po-Pi)- 
Substitute -Lo,a:(Po) obtained in Eq. ([22]) into the above equation, and get 

V^4,fc(P2Pl) © ^3,fc(-Pl) © ^4,fc © F2,fc © Fo.fc = ifc(P2Pl) © r-fc(Pl) © Zfc © Zo,fc. (24) 

Since both Eq. (|22|) and Eq. (|24|) hold for any pair of plain-image and its corresponding cipher- 
image, it can be easily verified that 

= IUP2P1) © r-^(Pi) (Bit® M3,k, 

Rlk = K{P2) ®rl® Ll^iPo) © A^3,A:, 
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where 

f M3,fe = h{P2Pi) e vkiPi) e ifc e -Lo,fc, 

The above equations mean that M^^k, -^3,fc and {-P/}f=Q can work together to recover the A;-th least 
significant bit plane of any other cipher-image encrypted with the same secret key, [Lq Rq for 
A; = 1 ~ n. 

To verify the above analysis, some similar experiments are made with Kq = 1234567/(2'^^ — 1), 
T = 3 and A = 64. First, a chosen plain-image is composed by combining the left half part of 
Fig. [3^) and the right half part of Fig. [Sh), which makes the special differential files satisfying 
Eq. (fT9]) can be generated. Then, the three plain-images shown in Figs. [3ti), b). Fig. [5^) and 
a plain-image "Airplane" are encrypted with the same secret key, and the results are shown in 
Figs. O)), c), d), e), respectively. With the three pairs of plain-images and cipher-images, some 
information about the secret key is obtained to decrypt the cipher-image shown in Fig. [5^) and the 
result is shown in Fig. ). It is counted that the 6 least significant bit planes of the image shown 
in Fig. [5f ) are identical with the counterparts of the corresponding plain-image also. 




Figure 5: DifTerential attack on lEAS when T = 3: a) the constructed plain-image; b) cipher-image of Fig. [3^); c) 
cipher-image of Fig. |3]3); d) cipher- image of Fig. [5^); e) cipher-image of the plain- image "Airplane"; f) the recovered 
plain-image of Fig. [S^). 



3.5. Breaking IE AS of higher rounds {T > 4) 

It is not hard to notice that there are some general approaches to breaking lEAS of different 
rounds. Here, we take breaking the version of lEAS under four rounds as an example to illustrate 
how to implement differential attack on lEAS in a general way. 

• Step 1) breaking position permutation: 
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According to Property El one has 



= B!o,k{P^) © L'.^kiPoPs) © L'^,k{P2Pz) © L;,fc(PlP2P3) 

e i^'o,fc(Pl) © 4,fc(J'oi'i) © i^d,fc, (25) 

and Z'j^ ^ = Pq ^ © R'^ ki-^^)-> where R^ ^ is the fc-th least significant bit plane of R^. Then, 
the problem become how to recover the permutation matrixes generated by Eq. ([1]) by con- 
structing some special differential plain- images. 

— Determining Pi and P^, by choosing special R'^ ^ 

If L'q ^ is chosen of fixed value zero, one can get L\ ^ = R^ ^. Substitute it into Eq. ([25]) . 
one has 

Ll,, = i?'o,fc(Pl) © i?'o,fc(P3) © R'o,k{PlP2P3)- (26) 
Assume a special differential image satisfy L'Qi^{i,j) = and i?Q^(z,j) = except that 



P-o,ki^iJi) = ai, 
-Ro,fc(«2,i2) = /?!, 



(27) 



where gcd(zij2 — 12 ji, = 1 and oi 7^ /3i. Observe Eq. (|26|) . one can see that one pixel 
of Rq ^ can infiuence at most three pixels of ^. So, one can get (l) ■ (^7^) = 6 possible 
values of (Ci, C3, C1C2C3) by referring to Property 1. When condition of Proposition 1 
exist, the matrix {C1C2C3) can be recognized by checking which matrix whose elements 
are all greater than onqj. Since multiplication of two different matrixes of set is not 
commutative when (a + 6) 7^ 0, Ci and C3 can be confirmed by checking whether 
{Ci^ {CiC2C3)C^^) has the form of the matrixes of set ([2]). Finally, the corresponding 
associated matrixes Pi and P3 can be obtained. 

Proposition 1. When a,b ^ {0, 1}, there is no 1 's in the product of any three matrixes 
(including the same matrixes) of set 

Proof. When a,b ^ {0, 1}, every element of the four matrixes in set ([2D is greater than 
or equal to one. According to multiplication rule of matrix, it can easily conclude that 
the proposition held. □ 

Determining Pq and P2 by choosing special L'q ^ 
If Rq f, is chosen of fixed value zero, it is easy to get 

= L'o,k{Po) © 2^'o,fc(P2) © L',^,{PoPiP2). 



^To simply analysis, the cases when a,b G {0, 1} and elements of multiplication of three matrixes of set ([2]) are 
happen to be (1 mod A'^) are not discussed here. 
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Construct another special differential image satisfying F{!Qj^{i,j) = and L'Q^{i,j) = 
except that 

{L'Qk{ii,ji) = a2, ^^^^ 

where gcd(zij2 — i2ji,N) = 1 and 02 7^ /32- Then one can use the same method 
mentioned above to get the permutation matrixes Pq and P2- 

Step 2) breaking value substitution: 
From Eq. ([7]) and Property O one can get 

Ik = F5,fc e i?4,fc (29) 

and 

= F4,fc©i?3,fc©-R4,fc(-P3) 

= ^4,fc © ^2,fc © ^2,fc © Ri,k{P^) 

= ^4,fc © V2,k © Ri,k © -R2,fc(-Pi) © Ri^Ps) 

= V4,k © ^2,fc © Vo,fc © Lo,k © ^l,fc(Pl) © i^l,fe(Pl) © R4,k{P3) 

= V4,k © V2,k © Vo,fc © Zcfc © Vi^kiPi) © Ro,k{Pi) © -Ri,fc(-Po-Pi) © R4AP3,) 
= Vi^k © V2,fc © Fo.fe © ^o,fc © "V^i,fc(-Pi) © Ro,kiPi) 
© Fo,fc(Ai'i) © i:o,fc(^'oJ'i) © R4,k{Rs)- 
Substitute R^^k obtained in Eq. ()29p into the above equation, one has 

v^MPs) © ^4,fc © ^2,fc © © Vi^kiPi) © M),fc(PoJ'i) 

= hiPs) © r-fc © Xo,fc © Po,fc(-Pi) © Lo,k{PoPi). (30) 



Referring to Eq. ()23p and Eq. ()16p . one can get 

-R4,A: = V^^k © -^^3,fc 

= V3,fc©i^2,fc©-R3,fc(-P2) 

= V3,k © © Ro,k © Vo,fe(Po) © -Z^o,fc(-Po) © R3AP2) 

= Vs^k © Vi^k © i?0,fc © V^O,fc(-Po) © Lo^Po) © V2,fc(-P2) © V0AP2) 

© Lo,fc(^2) © Vi,fe(PiP2) © Ro{PlP2) © Vo(PoJ'lJ'2) © Lo{PoPlP2) 



Hence Eq. (j29|l become 

V5,k © ^3,A: © © M),fc(Po) © V2,fc(P2) © V0AP2) © Vl,fc(PlP2) © Fo(J'oPli'2) 

= Zfe © i?o,fc © l^CfcC^b) © Lo,k{P2) © Ro{PlP2) © Lq{PqPiP2). (31) 

Substitute -Lo,a;(PoPi) obtained in Eq. (pO|) into Eq. (f3T]) yields 

V5,fc(P3P2) © V4,fc(P2) © Fs.fe © ^3,fc © Vi,fc © ^0,fc(Po) 

= Zfc(P3P2) © rfc(P2) © Zfc © Po,fc © i^o,fc(-Po). (32) 
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Substitute Lo,/t(-Po) obtained in Eq. (|32|) into Eq. (j3U|) . one can get 

V5,k{P3P2Pl) ffi V4,k{P2Pl) © F5,fc(Pi) F3,fc(Pi) © ^5,^(^3) © V^4,fc © ^2,^ © Fo.fc 

= h{P3P2Pi) © ^(Psi'i) © /fc(-Pi) © /fc(P3) © r-fc © Lo,k. (33) 

• 5iep 3) decrypting another cipher-image encrypted with the same secret key: 

Since both Eq. ()32p and Eq. ()33p exist for any pair of plain-image and its corresponding 
cipher-image, so one can get 

Llf, = IUP3P2P1) © lliPi) © IUP3) © rt{P2Pi) © © M4,fc, 

= ifc(P3P2) (Bit® rt{P2) © l^S,A:(-Po) © N^,k 

where 

M4,fc = lk{P3P2Pi) © ^-^(^2^1) © /fc(Pi) © ^^(^3) © r-fc © Lo^k, 
N4,k = h{P3P2) © rk{P2) © /fc © i?o,fc © Lo,k{Po)- 

The above equation means that {M^^k}k=i^ {-^4,fc}fc=i5 and {Pi}f^Q can work together to re- 
cover the n least significant bit planes of the right part of I* and r*, {Lq and {Rq k}k=i- 

To verify the above analysis, experiments are made with Kq = 1234567/(2'^^ ~ 1)) T = A, and 
A = 64 or 128. First, two special known-images are generated by modifying the image shown 
in Fig. [3^) to make the differential images satisfy condition ()28p . Due to similarity of the two 
constructed plain-image, only one of them is shown in Fig. [6^). Similarly, the other two special 
known-image are constructed by modifying the image shown in Fig. [3^). The encryption result 
of the plain-image "Airplane" is shown in Fig. [6)3). With the five chosen plain-images, some 
information about the secret key is obtained to decrypt the cipher-image shown in Fig. [Hh) and the 
result is shown in Fig. [6]:). When only A is changed as 128, the recover image of the corresponding 
cipher-image of the plain-image "Airplane" is shown in Fig. Oi) Once again, the experiment results 
demonstrate that the breaking performance is mainly by the integer n in Property 2. 




Figure 6: Differential attack on TEAS when T = 4: a) chosen plain-image; b) cipher-image of plain-image "Airplane"; 
c) the recovered plain-image with A — 64; d) the recovered plain-image with A — 128. 
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Some other security defects of lEAS 



To make cryptanalysis on lEAS more complete, some other security defects of lEAS are given 
this section. 

• The key space of lEAS is not big enough 

In 0, Sec. 4], it is claimed that key space of lEAS is 2^2(^+2) since PRNS {i^J^V 
32(r + 2) bits. However, this it not true since {Ki}JJ'q is generated by the Logistic map 
under initial condition Kq, who has only hq unknown bits, where no is precision length of 
computer. In fact, permutation matrixes {Pi}JSq and mask matrixes {V/}^^ can compose 
an equivalent secret key of lEAS, and {Pi}JSq has only 4-^ possible cases. Since generation 
of {Pi}JSq^ is also controlled by {i^J^LV' 

we can conclude that the real key space of lEAS 
is only 2"" • T = 2"or. In [3], no = 32, so the key space of lEAS is less than 2^216 = 
considering T < 16. Even computation precision of 64 bits is used, the key space is only 2^^, 
which is lower than expected size of a secure cipher, 2^28^ much. 

• Insufficient sensitivity with respect to change of plain-image 

As well known in cryptography, sensitivity of ciphertext with respect to changes of plaintext is 
a very important property measuring a secure encryption scheme. This property is especially 
important for secure image encryption schemes since a plain-image and its watermarked 
version are often encrypted in the same time. In 0, Sec. 4.2], it was claimed that lEAS 
satisfy the property well. However, lEAS fail to do it much due to the following points. 

— The sole nonlinear operation is only used to expand PRBS, and no nonlinear operation, 
like S-box, is involved of handling plain-image; 

— There is no any operation generating carry bit toward lower level in the whole scheme, so 
a bit of plain-image can only influence the bits at higher bit planes in the cipher-image; 

— If 2" (1 < n < 7) divides variable A in Eq. 1^, any change of the bits in the k-th. bit 
plane of plain-image will only affect the bits in the same bit plane of cipher-image for 
k = 1 ^ n. 

• Superior performance of lEAS is questionable 

The cryptanalysis presented in the above section is based on the precondition of Property 2, 
namely 2" (1 < n < 7) divides variable A in Eq. ([5]). This means that lEAS would become 
robust against the proposed attack if A is odd. Under this condition, Property 2 is still exist 
with some probability. So, the proposed attack maybe still valid with a little higher com- 
plexity. To show inferior performance of lEAS is undoubted in any cases, lEAS is compared 
with its analogue, DES. The encryption complexity of DES on 128 plain-bits and the widely 
recognized robustness of DES against differential attack under some rounds are shown in Ta- 
ble [2] [l3, 18]. In contrast, encryption complexity of lEAS on the same data and robustness 



against differential attack are shown in Table [2] also. Although the details deriving attack 
complexity of lEAS of round number is larger than four are not given here, one can conclude 
confidently that lEAS is much weaker than DES now. 
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Table 2: Comparison between lEAS and DES in terms of complexity of encrypting 128 plain-bits and robustness 
against differential attack, where CP and KP denote chosen plaintexts and known plaintexts, respectively. 



Round 
Number 


Complexity 


Attack 


DES 


lEAS 


Data 


Success Rate 


DES 


lEAS 


DES 


lEAS 


1 


0(2^) 




0(1)CP 


2CP 


100% 


100% 


2 


0(2^u) 


0(2^^) 


0(1)CP 


2CP 


100% 


100% 


3 


0(2^^^) 


0(2^^) 


0(1)CP 


3CP 


100% 


100% 


4 


0(2") 


0(2i4) 


24CP 


5CP 


100% 


100% 


12 




0(2i^) 


244KP 


14KP 


10% 


100% 


13 




0(2i^) 


24&KP 


14KP 


10% 


100% 


16 


0(2i^) 


0(2i«) 


25UKP 


14KP 


51.3% 


100% 



5. Conclusion 

The security of an image encryption algorithm called IE AS, a block cipher composing of multiple 
rounds, was studied comprehensively in this paper. Some properties of lEAS are derived to support 
differential attack on it when its key parameter is even. The detailed approaches for breaking lEAS, 
when round number is less than five, are presented and can be easily extended to break the version 
of lEAS of higher rounds. In addition, it is found that encryption results of lEAS is not sensitive 
with respect to changes of plain-image and its key space is not big enough. Cryptanalysis of lEAS 
shown in this paper and comparison between lEAS and DES demonstrate lEAS is not attractive 
secure image encryption scheme and should not be used in applications requiring high level of 
security. 
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